Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

More Best Practices to Secure Your Web Server

Part 2 of our series shows you how to secure services such as FTP, Apache HTTP server and outgoing e-mail server (SMTP).


advertisement

In the first part of this article, we discussed how to secure WHM/cPanel login, as well as SSH network protocols. Now, let's see how to secure other services, such as FTP, an Apache HTTP server and outgoing e-mail server (SMTP).

FTP

Use FTPS

The FTP (File Transfer Protocol) is a standard network protocol used to transfer computer files from one host to another host over a TCP-based network. However, this protocol does not encrypt the data, so it is strongly recommended to avoid it. FTPS (File Transfer Protocol Secure) should be used instead. It uses SSL or TLS connection to encrypt the username and password, as well as the data. The protocol for file transfer is selected in FTP clients (e.g. FileZilla) and should be set to "Require explicit FTP over TLS". On the server side, we should configure the FTP server to deny insecure connections. Go to FTP server configuration in WHM and set TLS encryption support to "Required (Command/Data).

Use Pure-FTPD

There are two types of FTP server software: ProFTPD and Pure-FTPD. Use Pure-FTPD, as it is faster, more memory-efficient and can be protected from brute-force attacks by enabling cPHulk or Fail2ban.

Change default port

The default FTP port is 21. This is where the attackers would first try to find any vulnerability. It is good practice to change the default port to a non-standard one. Pick a port that is not used by any service (here is the list of TCP and UDP system ports). After that, open /etc/pure-ftpd.conf and find the following line:



 # Bind                      127.0.0.1,21 

Change 21 to the number you have chosen as your new FTP port number. Save the file and restart your FTP server.

Apache

Use HTTPS

When using HTTPS, all communication between your server and the user is encrypted, thus preventing eavesdropping. For additional security, you could get an SSL certificate.

Jail Apache users

The Apache should be configured in a way that a user cannot see other users' processes or files. This can be done by either enabling "Jail Apache" in tweak settings in WHM and setting users' shell access to jailed shell. This can also be achieved using software, such as CageFS.

Enable symlink protection

One of the common Apache vulnerabilities is symlink race condition vulnerability. If you enable both the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, a malicious user would be able to serve files from anywhere on a server, regardless of file permissions. Here is a list of possible solutions along with their upsides and downsides.

Hide Apache version on error pages

By default, Apache error pages would include the Apache version, OS name and even the information about Apache modules installed on your server. It is advised to hide this information for security purposes:

 # vim /etc/httpd/conf/httpd.conf 

Find the following lines and change them to look like this:

 ServerSignature Off
ServerTokens Prod 

Save the file and restart Apache.

Disable directory listing

Another default Apache option is to list the contents of a directory when there is no index file. To disable this, open httpd.conf:

 # vim /etc/httpd/conf/httpd.conf 

Add the following code:

 <Directory /var/www/html>
    Options -Indexes
</Directory> 

Save the file and restart Apache.

Use mod_security

Mod_security is an Apache module that provides many security features — it acts like a firewall, monitors traffic and prevents brute-force attacks. It can be installed via yum by running the following command:

 # yum install mod_security 

Use mod_evasive

Mod_evasive is an Apache module that protects the server against DoS and DDoS attacks. It detects attacks via the following three methods:

  • If a certain number of requests come to the same page in a few times per second.
  • If any child process trying to make more than 50 concurrent requests.
  • If any IP is still trying to make new requests when it's temporarily blacklisted.

Mod_evasive can be also installed via yum package manager.

Disable Server side includes and CGI

Server Side Includes (SSI) and CGI scripts can be extremely dangerous if not carefully checked. It is a good idea to completely disable them and only enable them if needed on a case-by-case basis. Open httpd.conf and add the following code:

 <Directory "/home ">
Options -Includes -ExecCGI
</Directory> 

Note that you must specify a directory in which SSI and CGI are blocked.

DDoS attack protection

Although the best tools against the DoS and DDoS attacks would be network-level tools (such as software or hardware firewalls and other OS configurations), there are a number of Apache configuration settings that can help mitigate problems (according to Apache security tips):

  • The RequestReadTimeout directive allows you to limit the time a client may take to send the request.
  • The TimeOut directive should be lowered on sites that are subject to DoS attacks. Setting this to as low as a few seconds may be appropriate. As TimeOut is currently used for several different operations, setting it to a low value introduces problems with long running CGI scripts.
  • The KeepAliveTimeout directive may be also lowered on sites that are subject to DoS attacks. Some sites even turn off the keepalives completely via KeepAlive, which has of course other drawbacks on performance.
  • The values of various timeout-related directives provided by other modules should be checked.
  • The directives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody should be carefully configured to limit resource consumption triggered by client input.
  • On operating systems that support it, make sure that you use the AcceptFilter directive to offload part of the request processing to the operating system. This is active by default in Apache httpd, but may require reconfiguration of your kernel.
  • Tune the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections without running out of resources.

SMTP Server

Require SSL connection

Forcing clients to connect with SSL would significantly improve the e-mail security by preventing eavesdropping of usernames and passwords. This can be configured through WHM in the Exim configuration manager. Also, "Allow weak SSL/TLS ciphers" should be turned off.

Prevent dictionary attacks

Dictionary attacks are a type of brute-force attack where the malicious user tries to guess the correct username and password by testing the possible combinations using a pre-made word list. SMTP servers can be attacked using this type of attack, so it is important to protect it. In WHM in Exim configuration manager, set "Dictionary attack protection" to on. That will block or rate limit hosts with more than 4 failed login attempts.

Limit hourly number of e-mails per domain

This is a popular technique to prevent SPAM e-mails. It can be configured in Tweak settings in WHM and represents the maximum number of e-mails that each domain can send in an hour. On shared hosting accounts, the limit is usually 200 per hour.

Use DNSBL

DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a blacklist of IP addresses on the internet known for sending SPAM e-mails. The most popular DNSBL servers are SpamCop and Spamhaus and can be directly turned on through WHM.

New threats emerge all the time, but if you follow these best practices, your Web servers should be secure — at least for now.



   
Vojislav is a web developer, designer and entrepreneur, based in Belgrade, Serbia. He has been working as a freelancer for more than 6 years, having completed more than 50 projects for clients from all over the worlds, specializing in designing and developing personal portfolios and e-commerce websites using Laravel PHP framework and WordPress content management system. Right now, he works as a full-time senior web developer in a company from Copenhagen.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date